berbew | e2656a0a9d36dc5b6b7d45e24475690131c73748ab6fcf5fd0e302da0cad253f

Analysis

max time kernel
103s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-10_e5d54ea320209a3887a950e8bd2393b8_amadey_elex_rhadamanthys_smoke-loader.exe
Size

400KB
MD5

e5d54ea320209a3887a950e8bd2393b8
SHA1

8e85b574bb0579c1fe78b7b307bb5ffae5c4cab3
SHA256

e2656a0a9d36dc5b6b7d45e24475690131c73748ab6fcf5fd0e302da0cad253f
SHA512

1df8882d2bda2ad3b4fa27f373e1101087c3ecbde0557369a2bbf60bc4fca55ae009f59152d0fb037ee8ee93a8dbe6481baf896bf6ae877d008d0a54b2baada2
SSDEEP

12288:YBZ2LxteM2o8wE39uW8wESByvNv54B9f01Zm:YL2L72o8wDW8wQvr4B9f01Zm

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2025-04-10_e5d54ea320209a3887a950e8bd2393b8_amadey_elex_rhadamanthys_smoke-loader.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocbddc32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
116	Lmiciaaj.exe
4116	Lphoelqn.exe
1564	Mdckfk32.exe
5372	Medgncoe.exe
1380	Mlopkm32.exe
2264	Mdehlk32.exe
1624	Mgddhf32.exe
1744	Mlampmdo.exe
3572	Mgimcebb.exe
4156	Mmbfpp32.exe
5100	Mpablkhc.exe
4944	Miifeq32.exe
4788	Ncbknfed.exe
4664	Nngokoej.exe
4764	Ndaggimg.exe
4888	Ncdgcf32.exe
8	Ngpccdlj.exe
4556	Njnpppkn.exe
3324	Nlmllkja.exe
4856	Nphhmj32.exe
1492	Ndcdmikd.exe
5048	Ngbpidjh.exe
4320	Njqmepik.exe
624	Ndfqbhia.exe
2976	Ncianepl.exe
4784	Nfgmjqop.exe
1100	Njciko32.exe
5148	Nlaegk32.exe
1460	Ndhmhh32.exe
4264	Nggjdc32.exe
220	Nfjjppmm.exe
1660	Olcbmj32.exe
2348	Odkjng32.exe
528	Ogifjcdp.exe
3276	Ojgbfocc.exe
3968	Olfobjbg.exe
1376	Opakbi32.exe
436	Ocpgod32.exe
1188	Ofnckp32.exe
3940	Ojjolnaq.exe
4372	Olhlhjpd.exe
5516	Odocigqg.exe
4720	Ocbddc32.exe
696	Ofqpqo32.exe
5596	Onhhamgg.exe
3508	Oqfdnhfk.exe
2968	Ocdqjceo.exe
3100	Ofcmfodb.exe
2056	Ojoign32.exe
3560	Olmeci32.exe
4128	Oddmdf32.exe
4100	Ogbipa32.exe
5688	Ojaelm32.exe
3956	Pmoahijl.exe
2280	Pdfjifjo.exe
5952	Pcijeb32.exe
4492	Pfhfan32.exe
1580	Pnonbk32.exe
2804	Pqmjog32.exe
5976	Pclgkb32.exe
5404	Pggbkagp.exe
4636	Pnakhkol.exe
3040	Pqpgdfnp.exe
3832	Pcncpbmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Mdckfk32.exe	Lphoelqn.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ijfjal32.dll	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Mpablkhc.exe	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Mgddhf32.exe	Mdehlk32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6192	5676	WerFault.exe	237

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgimcebb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5384 wrote to memory of 116	5384	2025-04-10_e5d54ea320209a3887a950e8bd2393b8_amadey_elex_rhadamanthys_smoke-loader.exe	87
PID 5384 wrote to memory of 116	5384	2025-04-10_e5d54ea320209a3887a950e8bd2393b8_amadey_elex_rhadamanthys_smoke-loader.exe	87
PID 5384 wrote to memory of 116	5384	2025-04-10_e5d54ea320209a3887a950e8bd2393b8_amadey_elex_rhadamanthys_smoke-loader.exe	87
PID 116 wrote to memory of 4116	116	Lmiciaaj.exe	88
PID 116 wrote to memory of 4116	116	Lmiciaaj.exe	88
PID 116 wrote to memory of 4116	116	Lmiciaaj.exe	88
PID 4116 wrote to memory of 1564	4116	Lphoelqn.exe	89
PID 4116 wrote to memory of 1564	4116	Lphoelqn.exe	89
PID 4116 wrote to memory of 1564	4116	Lphoelqn.exe	89
PID 1564 wrote to memory of 5372	1564	Mdckfk32.exe	90
PID 1564 wrote to memory of 5372	1564	Mdckfk32.exe	90
PID 1564 wrote to memory of 5372	1564	Mdckfk32.exe	90
PID 5372 wrote to memory of 1380	5372	Medgncoe.exe	91
PID 5372 wrote to memory of 1380	5372	Medgncoe.exe	91
PID 5372 wrote to memory of 1380	5372	Medgncoe.exe	91
PID 1380 wrote to memory of 2264	1380	Mlopkm32.exe	92
PID 1380 wrote to memory of 2264	1380	Mlopkm32.exe	92
PID 1380 wrote to memory of 2264	1380	Mlopkm32.exe	92
PID 2264 wrote to memory of 1624	2264	Mdehlk32.exe	93
PID 2264 wrote to memory of 1624	2264	Mdehlk32.exe	93
PID 2264 wrote to memory of 1624	2264	Mdehlk32.exe	93
PID 1624 wrote to memory of 1744	1624	Mgddhf32.exe	94
PID 1624 wrote to memory of 1744	1624	Mgddhf32.exe	94
PID 1624 wrote to memory of 1744	1624	Mgddhf32.exe	94
PID 1744 wrote to memory of 3572	1744	Mlampmdo.exe	96
PID 1744 wrote to memory of 3572	1744	Mlampmdo.exe	96
PID 1744 wrote to memory of 3572	1744	Mlampmdo.exe	96
PID 3572 wrote to memory of 4156	3572	Mgimcebb.exe	97
PID 3572 wrote to memory of 4156	3572	Mgimcebb.exe	97
PID 3572 wrote to memory of 4156	3572	Mgimcebb.exe	97
PID 4156 wrote to memory of 5100	4156	Mmbfpp32.exe	98
PID 4156 wrote to memory of 5100	4156	Mmbfpp32.exe	98
PID 4156 wrote to memory of 5100	4156	Mmbfpp32.exe	98
PID 5100 wrote to memory of 4944	5100	Mpablkhc.exe	99
PID 5100 wrote to memory of 4944	5100	Mpablkhc.exe	99
PID 5100 wrote to memory of 4944	5100	Mpablkhc.exe	99
PID 4944 wrote to memory of 4788	4944	Miifeq32.exe	100
PID 4944 wrote to memory of 4788	4944	Miifeq32.exe	100
PID 4944 wrote to memory of 4788	4944	Miifeq32.exe	100
PID 4788 wrote to memory of 4664	4788	Ncbknfed.exe	101
PID 4788 wrote to memory of 4664	4788	Ncbknfed.exe	101
PID 4788 wrote to memory of 4664	4788	Ncbknfed.exe	101
PID 4664 wrote to memory of 4764	4664	Nngokoej.exe	102
PID 4664 wrote to memory of 4764	4664	Nngokoej.exe	102
PID 4664 wrote to memory of 4764	4664	Nngokoej.exe	102
PID 4764 wrote to memory of 4888	4764	Ndaggimg.exe	103
PID 4764 wrote to memory of 4888	4764	Ndaggimg.exe	103
PID 4764 wrote to memory of 4888	4764	Ndaggimg.exe	103
PID 4888 wrote to memory of 8	4888	Ncdgcf32.exe	104
PID 4888 wrote to memory of 8	4888	Ncdgcf32.exe	104
PID 4888 wrote to memory of 8	4888	Ncdgcf32.exe	104
PID 8 wrote to memory of 4556	8	Ngpccdlj.exe	105
PID 8 wrote to memory of 4556	8	Ngpccdlj.exe	105
PID 8 wrote to memory of 4556	8	Ngpccdlj.exe	105
PID 4556 wrote to memory of 3324	4556	Njnpppkn.exe	106
PID 4556 wrote to memory of 3324	4556	Njnpppkn.exe	106
PID 4556 wrote to memory of 3324	4556	Njnpppkn.exe	106
PID 3324 wrote to memory of 4856	3324	Nlmllkja.exe	107
PID 3324 wrote to memory of 4856	3324	Nlmllkja.exe	107
PID 3324 wrote to memory of 4856	3324	Nlmllkja.exe	107
PID 4856 wrote to memory of 1492	4856	Nphhmj32.exe	108
PID 4856 wrote to memory of 1492	4856	Nphhmj32.exe	108
PID 4856 wrote to memory of 1492	4856	Nphhmj32.exe	108
PID 1492 wrote to memory of 5048	1492	Ndcdmikd.exe	109

C:\Users\Admin\AppData\Local\Temp\2025-04-10_e5d54ea320209a3887a950e8bd2393b8_amadey_elex_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-10_e5d54ea320209a3887a950e8bd2393b8_amadey_elex_rhadamanthys_smoke-loader.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:5384
- C:\Windows\SysWOW64\Lmiciaaj.exe
  C:\Windows\system32\Lmiciaaj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\SysWOW64\Lphoelqn.exe
    C:\Windows\system32\Lphoelqn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Windows\SysWOW64\Mdckfk32.exe
      C:\Windows\system32\Mdckfk32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5372
      - C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        26⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5148
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        48⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        53⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        56⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        59⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1248
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        73⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        74⤵
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        78⤵
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:856
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2840
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        83⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        84⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        87⤵
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        90⤵
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        93⤵
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        95⤵
        Drops file in System32 directory
        
        PID:684
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        96⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4760
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        101⤵
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        103⤵
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        105⤵
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        107⤵
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        110⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        111⤵
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        115⤵
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        116⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        119⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        127⤵
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        132⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        135⤵
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        138⤵
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        139⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        144⤵
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        146⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        147⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 216
        148⤵
        Program crash
        
        PID:6192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5676 -ip 5676
1⤵
PID:6164

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5648

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1752

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajanck32.exe

Filesize
400KB

MD5
1456cea2d1ad8fa1fb1c17a0d17ece58

SHA1
4e3d31487983382b3cc4e7d23a5e4703ac0768ce

SHA256
57f9c4385944f696de763119719bb815e2939d8e57fc3002768c4b613c0d4dc5

SHA512
3e6dcb114439ac8dfd1a2b376d34d28acb411c09e540631d9b411e955e0e1cd50154f35b437bdf5ad7ff7dc1c919580fdc2d4e785663a075b1d2a3677bad2987

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
400KB

MD5
6ec9148e6330ab66d6e99508ac92fd6b

SHA1
87d63efd0a15bb0f684f31949f70b33322df0c07

SHA256
7ae9279657b09f7dd9dd661e00f0b2976d31c2a6e78071861053763cbd2c94f3

SHA512
caaecafb13f741b9ddc7a7e90325cd6a0f843bd4f4342b65a518cb540c7cc832f6a8919417ce56175199d4bc0aa39d3f8a2faf2f8e5f49bf098af325f4ed515f

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
400KB

MD5
ae09e7a12fb551f1814c209bf977add8

SHA1
d3dfcdc000b6512b34085daa9fb63cf45bd91700

SHA256
4d6e26ae104b2ab1acd4a2572be28cfc4a3533374a143994116f14751fb8ecb2

SHA512
7914e7a33ee299c0981fa4a7804ad9b2aeebfba213e6e4c2e0469f91bae6dd4fad22789c431712d94080ec5d108b757f6d9c7c0de5db81659d89972be1c93c0e

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
400KB

MD5
ecd17ff7bb936b30e968a6bd113492b9

SHA1
2bfc46bc0b93eaddb7d25a1eadd2a8eade29e94f

SHA256
040152ff8a2192a3919833a3a84d3339b5d92595a9ddedb10f9e4c0bed458466

SHA512
5184b16b3c25893eb382daf3ad85353f20a9ac9bc625ac99a49364b49a8b993223dc014fde6a3d303dce8aa720a742cb4a485c118366c6933b2ca85962b75ce1

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
400KB

MD5
ce0c313b47f3d11d020f219fbb452305

SHA1
6dd9104ad7e7dc22befdb22de1c02cbf298c15a9

SHA256
d65dfb3e0a8d010d249cc74c2a8ccc1c2e790d1d4d17f7975fcd5e73e48ed7dc

SHA512
71cfd1817969341f68ee485c2c238a6382d1bd755ad558c64dd1395ae565c973113f5b6a4880f8fae4c7d4673d2a750ca1deaaebd7ddec5611465b487c082bfc

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
400KB

MD5
d35637a460a8797754bf8e8d3bf3460a

SHA1
c9430e99dcc4fc3e58c4e6309a43ab2d8e29edfb

SHA256
0b437f1752bf95d25c5c542c7f7cf7c8dfd2f886deae47f05f2962dd6dd9f07c

SHA512
af2bc869368df37f68a545c51e447e656deba6a6142d262bf772d1fec2f7d0687dff4fb22c8122705155836c7547a6468e68d9c473f05fb9623407309739aab4

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
400KB

MD5
78f0af549fbbd313839f7f76090a3fb3

SHA1
3a4c1711dd1279ba50dca4421fb4a86e7abc36f8

SHA256
81463bb8e9d6af94ddff589b571b8bbd8ccf9576883737e4dd895cccde1e74ee

SHA512
c21d762c383d649d55004408e27773c5d5bafe46e29757cf26d703d31f30938ae446c41f59f9c30d4a1dd96504149f6ca01a53319cefc41d5df7028da252ca64

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
400KB

MD5
ee008fef815a64986de0c0cb4d3ad3cb

SHA1
6110a1e69e311d552c1bcf647483df935da866b0

SHA256
ef3a2e1ce000a4d2738c6083693ace4497c9adb13e8e1512b57f6bcf9cecdaa7

SHA512
2f4cf975f0750c434dec6cf125baef16febd8be55727f85e5c17541146613d17e94f16e92f275e2ca3e569622ea38ce9820d00537494e4ea13562d1ef88d2cd4

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
400KB

MD5
676074f3aa19a7954472c9afe69645f6

SHA1
ea892cbc8aa08126e383d027cf6b0c463c95c5f7

SHA256
44fc0f1975e65c2471ec80dedfe7d17732496d56be62a53f23241af6399d6eb8

SHA512
07fddae1fbefdccc52ec55931ca71bd944e6ed9cf3fcf71028cae816d689b088338a2317da9f34ea9263720c7c0a61c5b3e58d4b9acc756969634d155f85d564

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
400KB

MD5
3360484879137ad52fae166094b65298

SHA1
a5110cf4f22742b3c646eb60f6e066b12d57ceb0

SHA256
881bca108696e9b717747de1ccc207ae2f207db4bb29dff966cd891542243d58

SHA512
46f2854a0085a272869e45f73890fe3ea4628b7f922c20e7a8d6de7ea9feee9f5f3e0ae575f249bb56cf1c5a08abb1819606992eaf2175c618c0452f6d5ad2b9

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
400KB

MD5
9186c11de478e3857ced457422ae44a1

SHA1
f5e16dbe236266eb33f721e1a54b8a901ad2a3b3

SHA256
95dc3c0fa81fbddcb4ff38797fc23bc1fc31f05cc20d5f80e56683da7616553d

SHA512
94721d3d45760d1465f58ba5e6967e2bbe369e1036f4ddad85e9846084df81bd2de41b1816e5e5ad23da8a77d68ab91a208ce91e648d239d956b9247c8667f6e

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
400KB

MD5
197e241a561d9da36871a1586871f48a

SHA1
a382fb5c93f9dde1e6a6ecf044b322fd8758f6ac

SHA256
c7c1b93ea927de50a80f158b28b522872587d727654bc30068ab0ccb1f47f125

SHA512
7f993e5d0bc39af6b43466616ea90eb2f8231c0caa26ac73f042d3d8ab05987307bddc75f127bdfdc37db548b602534668b61b671d3e12d14f39c42467aeb92b

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
400KB

MD5
409f879c72016b029788f474b6f27661

SHA1
3fa80f633f007d457bf411fe90bd45263d0413d1

SHA256
01e7189805e52fd8ab7772106d10502af0112dd5c26829608c3f9a02ebc77f8a

SHA512
f4dfef152c83a90c7e9c1732782b9c7be74ab15359e9a943b6f3f777a59ce58582e4cd65a25b8038e4197743046be1f92027acd6180bb65dbff10491e23e1ce6

Download Submit
C:\Windows\SysWOW64\Ijfjal32.dll

Filesize
7KB

MD5
8bdbe8b19c0a48896dde0103bfb55324

SHA1
8d82e6910277fc7993d7793a2e891d547d666d48

SHA256
825956ee7a07e078bf87c674b2e3ac857fedcae3778e0ed78b5c9e2538ba95a8

SHA512
0b49b90a1e974f97e4a5ca04d8d1d75bb71eb60dc5d5f55b0e34e16002e66a68eb52b0ac4ceec34fd9a31f44d0d1445fe75429d2dbb9c932c95648e153a9c125

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
400KB

MD5
a34aae4589c7de9617aaaedeffda5f8a

SHA1
445cf0715e30421949bed9b4dc8e1f1235d73b15

SHA256
a99be4429fbf7c41861c247402a0a0a8a2b3df72638fd64546f36b2c752435a3

SHA512
12ed6017fbc61ecdbdba7cab34a68a90bab9c7a2beeb72f68eeeb402c420cba45f4d7914df4c8644c4394d279d3d46909f6d6f24362a011e1e6b43e3778509d6

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
400KB

MD5
e6dcbaa636883b011c911395f38c4872

SHA1
a14394eac2dedf4908f707ccdcb8fc29f25a9fa5

SHA256
ae4d45cddfd139b264b6038dd13be968dc4711e484017305149c549103a4785b

SHA512
8d4d34465f64f6f74157cf60a3264057e1a1fba93bc3e8c2f9685b85816ea1e4b443a5be12212229ca2b8ff20fe0a5fd4f55a81ceb7a0dab35bb42c3831cc1a0

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
400KB

MD5
24e5aa9125e0ac57148b180858931a8c

SHA1
1b8d151fc09cc9e66bbf6f2a0e1c053ce3cff6dc

SHA256
b703b4c39e234e41315d22b038ac02fc8ed8cce24361e8b2dd4829441f0c71d5

SHA512
3d30d060243186f965c739da728dbecd449ea5ec6a9fb93611e4f2cfc1ef4f40e0e05856eedfad8da93374ddbf6179e8de82ed7f09985fb6ec5a60aa1fd9fe1b

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
400KB

MD5
41769514f78785623e95d59809a56610

SHA1
fdba0728e2260cbd0aa1790c39bae57bc90e4bcb

SHA256
a6870ebbe7ee02c1a6c08ea0501f64241ace99eb884134a720f5c462a1db817a

SHA512
59cbe64cc1515955749291c8222a9d3d6d3862c44f952a16a822301ccf8c1ca4824769efcde75da538c5d4f792011bc1e0550d6fd2741cd2c565d9622a2feb65

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
400KB

MD5
ef574c652086b7e84f17f188a61184c9

SHA1
15b3851677305664ad6ca55fbb6d90b4a6e4adc4

SHA256
a0b9f8ad26cf9d15af5193becf0c143514fce78a8bf00feeb8476833f2030b31

SHA512
8d00d45f06ac9a4f9d0cd5c293f3de4be393eb22135f2fc19cd330c3eeaa7606cd51419f5ba83992cd5351c38010ddb840d95857b14f0736dfc66c766852fc7c

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
400KB

MD5
4ab41760bf0f8dfdc81de9f460bc5ec5

SHA1
62790d82d875c5a5aa31dcd14727e98b3b885940

SHA256
ffc872f4590eeee4a470e01b225d5e179a6b2ff7375afd5d43bb12d63c18f64b

SHA512
7315d97646f1ede429f6a4098bc2b0ed10b6539c98c89b06458b4419e269afa4d65aca884a494bc73330d45c6ec3cd3e7cc2879cfb8ece12aa60a234810cdf7b

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
400KB

MD5
eea115f858a81d15df9e43b4b4bf6ddf

SHA1
a27992d05264d2c435da2608db6c19222b3f13d1

SHA256
26cedbba930a4c391b4d2d3614c291964588f1514acfcdc0bf8f66eac2c7283b

SHA512
c41fa55e1e09689e7e9048a10971ed180367fe8c2fc95374a51636c425caaf024bd3264f7cfc681466c73809bd130ce9effeca52df3d744145b01477b3a25c6b

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
400KB

MD5
054143bd240d3aeb40c90afed8ac33bc

SHA1
14fb7d97b52b1557d039f6cf50bf05f4f07ca83a

SHA256
ef168612632ebb6421f5a0969752ddff5515d5459191d763957b2e3404a79c7d

SHA512
5a2716dc151d909b0f6d74725e59e5ff3aa4b31f0e87779dcfcb5d3f0c825028d378e1c2c0beef359a0e98c29988016f9dec760e704f43a2a44e35cc46775e84

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
400KB

MD5
de6c9f2fe65761ac00a2f1517aee8b11

SHA1
cb49c256ec941547908e53cff461db335c4f88b1

SHA256
13287a12450e898999679f81a51c3fb4bd04fcbc15ae1704d0dee652603ce5dc

SHA512
ba833839ad6e7565c4975c9cdd5e377d006003ba417a7726650f64bae2dbfdf242ffde141b6e8f0bf45c785813d2d2c9aab911dfddd847c108fd4d745fc7c51d

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
400KB

MD5
fec9fe6e078bf0ef824748aadea76134

SHA1
f02ce0e0f3f689f2826226f848767f455de36d16

SHA256
f5729d0970cad40b866a91c46201caba6f09b0e4e4ceafa04d09b2df900e5015

SHA512
68a7e95936dc44711678901c26ad57ff48dc904569b8c31acca79e9b2616bed955afb72529c8b6cc487472aab4fa107e94ada4a4714bcbeb551f88fc84ca5158

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
400KB

MD5
4ddd6db31736f2ae2c7566ed413185fe

SHA1
d16ff341f41a4422f5a04b46054cabb87ca37928

SHA256
200fc15995d1332945650cb0bf3c92f622ecdfa7f65beadd03fea63426bf9dff

SHA512
28bee1f0bd2d0c71e601c7a57d7767f22c8e8ebbe4308de4cc81bfa5145e3cc46b116bf06cd2bdaa38c52d2236dfb9cbc2ddafdf0f06337197761f0f08b21b6b

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
400KB

MD5
3f123b4ca955955b78b1c75fd007fe59

SHA1
7c43c57346b17be57eef1a3a0372bbbce655e58c

SHA256
9b60d5e83eba66804409d3f1fc789e5f38226d4aff6cb2c5c98397eacc6b4524

SHA512
be7e7478a94618604f38b1b4f33c75b83934b9aa00e3bfab49abfcde99b51264c992b7962ee4384bb213c9378e6a3274cc14a181262e6d0ce4b5ff2c0ea35aa0

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
400KB

MD5
40ad9c15f90f76b873d1244a5b522f7d

SHA1
443622596670e56d53559088c1e6cbbada01885c

SHA256
151b9e7402fdc5d586b1a9571462da3fcaacdd88ee28ac71e661fe3cd9214ea3

SHA512
9cc3ae35540057d1f596c2fdbb31fedf2d7c5f162a75ce25dbab438f0d5de995c1e88c922345e8fc914e42ba7660ea90e4976ea03e611b9bfa9bf07ae37e918d

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
400KB

MD5
8b9820f833e9636b38234e5216959c68

SHA1
ab1031dc96877aac0078f217723d11a76b275d72

SHA256
9a72d88fbc2d8f3c608b54ef6a6b7f1b4d1749444ce8c3c88e9b4323df4c53bd

SHA512
b5155822136a500a2133885edf89512239681511f0829d0ec1dda64822b9aae99873eeae5cda66fa3d255074598060a0d6cc97db5cd9ad50d098a735a29dc949

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
400KB

MD5
b1d2efdd90c365d5ff4e7b7bb18b531a

SHA1
619fcbd5ea03ed22a3082a5dd23d1beffb96df47

SHA256
8b50d22ff66a0a8c7428c26c941dbf9114ce4c340af754c7ba30302b057b6cb3

SHA512
95fcc48e1cb3c9fd05b65ee6c7f656aff4b4db4e25f7414bf747931623fd02bf087fe15a2a5bda3baf4c0fca1a83d92fdba2a05ce2cf745984bdfd3c62594144

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
400KB

MD5
834795241f76fe731907c4086cbd2946

SHA1
38d4c63413d8c8f37002f3162f61247e61a045ff

SHA256
2daf442dbec8e12870dd9988fcc4f93190fbc29deabd38f7a87833f926315cbc

SHA512
b1fdb7ed3acdbe805e1136b4433fb3a5ee62c4d8887ab70226b00b7da5904d908598df2d535fd625b0e1ff436dce8c4a9ee7aa336b83b38ff83b1c074f06893b

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
400KB

MD5
dc2e983f6d6d8182ba8dbe82ca017f86

SHA1
6dbbb1de966f4b9bfa786f70907ca2ba43184c8d

SHA256
b2996abba00517fe5ef2bda21287a79646617c52fa4e5265e3482f798034ce49

SHA512
5424427eb6af0ab5dabce922039c3ef0d96a17c2311761c21c87f6c7dd4b18190900452a35c3234eae0e58602fd9d5e568c3f8f44a574dba64852ecbf12d630e

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
400KB

MD5
a1cbfc4e4e0e9a35b9fd5c71a40c4645

SHA1
a2bf0fb8bc86bdb5957114291db5484a9b372676

SHA256
7a6644bf49a10cf200813fd0595b5e817809be6a5f51b3aa0ecfabee35649161

SHA512
2ced15d295d24d87931457bf28015600b9bd06745c6100741d23c15f25e143445ab6ca7ce9d858ab12a8ae9e36b8a2a5c0ab4f899086fcadb3be273035297a5c

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
400KB

MD5
a447d3c9b9f396c2aa860d3ca4cd66b2

SHA1
f9cc52db219dd62d998b5172d7f0fd76e93ffc29

SHA256
66766294eddfbbeae96aed523262fd6cadebb3fb796436569c528578dcc1baf3

SHA512
34e42250f5ce5d72fe4e83ed88be8432bbe185fb86622759cb3493f10df1c69f819aaa4c437819e7cb2ffcffd6dc7cb8c87566dce0148d6d2a4ecaae8ac243f1

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
400KB

MD5
e106acda81ba64093ddfd3e7a4a2c9c3

SHA1
3e35e2c2d913944a2d6592884e72afc691f31c32

SHA256
2aad2d488af1fa9f2cac609b35748df382bd32f6ab2e7eb0d0a1662b9c7753af

SHA512
d5f8e2ef3675d70b327cc2032ff0982a8d303ab4a3e7349135372c68430a4ee42510a3fdfe6a3fdb2df2928a44f77bf868fa114460b6660bca3bc9943e8e0407

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
400KB

MD5
a12d8a89494c6c0442bd570fca13abf8

SHA1
c5da1092eb312ef8b623006e15e22e88434107c2

SHA256
7fd4354b0121cc1c3576436362822c58960d5570dcde625cd6f0a956c53cf662

SHA512
af15c9115af466cc4d93833df9d354bf96c515f5aee80e6d2c507a7702c8948ccd64e22120ef2f5d490120bdbd1e26c8aa34ce4b76cf5346b35d86f4bab36937

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
400KB

MD5
465e70d9baed6f347ff48a031c4a119a

SHA1
b349f2744558b92206bb613ce99bee8f1c273b4b

SHA256
1a461a788a584150e7bb9747b85c76f105031f476beb54bdf7d9fa4971a2ac77

SHA512
40b17abd2dcc486412384f7854e5d345f181d3577756f148a6a23d78c7bd8d7506a009649a1cabb499e0bff553bef8c22a01d6828ef63e39c2252fd77bcd2753

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
400KB

MD5
eefd4d5f305179efc5911f1bfe653c11

SHA1
b46375f28291ccbbc2d992ac2bbe9f36ef0ffcb2

SHA256
17e7e7d508d06938ad5e54bddb11d97100dc41ceb558030e7138de4f86cb1cec

SHA512
37915778653adad7259b3e0d82a87a8ed85f2d5d2c8cf46ed3a7f92f6e788296088099561ac32ad6389e4b9d2c10ba66a95c41678242177bd75c89b72debb53c

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
400KB

MD5
d0524546962809bbb328105e0e1346f8

SHA1
d9b1837a4bb8958350ba1a5f7f01a5e88421d77d

SHA256
bde77681d0d45f62b38165986ee17fbf5676501923760d4334edfb80aa5a3a43

SHA512
c5152c714fee0ebc0fefc343894a7d0ae07904dc88caf103fb2892da66a32c92ab5b09d1d17716da2c79da80a927fe8c38db9294d5bfb2a1d4b36208f7f17b6d

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
400KB

MD5
b08409396369b6f50cc0b38719aff69e

SHA1
50e03ac13c89dcc39de2ff373fb3067ca0fd862c

SHA256
5625dfcc71cd64a66a355d944d51f884b90042a7792d92c204040ce4a6efeab0

SHA512
a612f5c81ee59feed4017260958c525e57436c74272b0ec2fb0ace4ab9f131660e603b1b649522de2004fe2dc91826328bc2d0f9cd27e3214d33e14538479761

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
400KB

MD5
f808b0892208b00595c9024cbd1910e7

SHA1
faa8fdc6de597b32fbafd8bd058ee86e2d5af240

SHA256
b0557d7d7e4903cd9c0222999f441d4a5f094ad433869be1b184292607387995

SHA512
76524678f8f580805533438e4525cce25766217a6ee137b55515907a407fd82fe327d9ef61c46b2547ea006d0415b9b24ffb47e4ed2b2793aa75fa0790f347c2

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
400KB

MD5
c0e546aa928f9ce5a96e496784170ec2

SHA1
a8c79e5d945397dbe2602b84c45d15fda31565c5

SHA256
c33aa79e1eb12c9a422d4f2c27bd3ba5a8a8144ae863d0444ba471fc805366a4

SHA512
07e55cac0135c66472252f6110454dfb0aad84460fdcc7230f93f8924e1aefafb8d7f5bc58d616c256ce4c0a47f8aa876c1270713d204ee30426c57154c66589

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
400KB

MD5
c10999a72cda3bb74bb36f48c42cf384

SHA1
57e082938d0420d4ee2a67f46a8a1cce1f1811e8

SHA256
9e877f77e37de0389eb0a398d4f7e34e29beb42647dae333d790349ee324b175

SHA512
0dc17e07dfd513a5b959ca6ab76f31d8884d463f41121b41e6cda83f064971d7eaa42ca802815689481466be4761eee749a5a5d0980f1f149dc5b0ecf8da7d9f

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
400KB

MD5
8448d8b29d090a63463cf4f97e0e8c73

SHA1
6c86530cd361f660dca8794e17aaf73dedd1ea31

SHA256
8600989d7824f2f062c8925385c6b99193e5af6adacd1678251babfc64b9d507

SHA512
8f2336726c994cc21a562104e11fc9f816044067055bea02b6d1f3658ae6f70e4cfa67f4eb0eb44d490b03e455c3588ffa4c0197cbb108152885abc308250669

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
400KB

MD5
a6dcac06516c7adccb579daca93d36c4

SHA1
fc6cf16fd211d292ca2b9a15c33be3c98db2c679

SHA256
8adbcda9f203f33ffd4dec7c78c32ee7be02570b3fb4e771cffbed7181cc99e7

SHA512
5be185508097317c06783ce25f9bc2cbcc7ad8858dbebb51b19f7e908839a90b2a756463e0c0ff1044fb3bd8026eb6b94c70446f6abfd1cdc3b9c60a5be2a558

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
400KB

MD5
c97d407bb8a27713202337fe97928042

SHA1
c1e38c85fa28e5c28ccc035701c093f31e29e4ce

SHA256
5dbc5565ff29dccc3c9dd7f081f897347aafe95af3ea78a01627094d16e1a59c

SHA512
2930bcd0a1a6af0eab75031326ff822aefdd4c9b57a3e54b5108c5104a1b2f0f97370ada1e27074ad5603ef27898c2394467b6730877d16f19fce47a5470d32c

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
400KB

MD5
7488b5a20e8e947e54d131c9c74f01ca

SHA1
48235ce7b6355a618fb9a08c2fdd09da01adb08c

SHA256
5c27b4f9a89665ee4d8efbfcea5a960024bfdb85649a7c9609963632709c3f8d

SHA512
3ff2d314a617daf68f403e064c7f1bd828ad1dada598e45e54024a754cd5431bf9c59cc7c760c9ffd5e1206d730720c044ffa924fc86f546ac5b814524079697

Download Submit
memory/8-140-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/8-634-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/116-528-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/116-7-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/220-250-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/436-292-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/436-1174-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/528-270-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/624-194-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/684-614-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1100-218-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1188-298-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1380-554-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1380-43-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1432-1032-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1460-234-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1492-661-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1492-172-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1564-544-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1564-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1624-1235-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1624-567-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1624-55-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1660-1185-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1660-258-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1716-582-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1716-1071-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1724-548-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1744-64-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1744-574-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2056-357-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2264-561-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2264-48-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2280-392-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2292-1065-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2348-1183-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2348-264-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2740-1070-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2740-589-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2804-415-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2832-1067-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2840-529-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2968-345-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2976-202-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3040-437-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3100-351-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3232-1040-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3276-276-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3324-1212-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3324-647-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3324-155-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3436-568-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3456-655-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3456-1050-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3508-339-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3508-1158-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3560-363-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3572-581-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3572-71-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3788-448-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3940-304-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3956-386-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3992-546-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4116-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4116-534-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4128-369-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4156-588-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4156-1230-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4156-80-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4264-242-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4320-673-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4320-186-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4372-310-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4376-982-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4388-1054-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4412-1033-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4468-628-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4468-1057-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4492-404-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4556-641-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4664-116-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4664-613-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4712-998-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4720-322-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4760-648-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4764-124-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4764-620-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4784-210-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4788-103-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4788-607-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4856-163-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4856-654-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4872-474-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4888-132-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4888-627-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4944-95-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4944-601-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5048-671-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5092-555-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5100-88-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5100-595-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5148-226-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5336-575-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5372-547-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5372-31-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5384-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5384-525-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5420-674-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5516-316-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5596-1159-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5596-333-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5688-380-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5872-635-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5896-979-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5952-398-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5976-421-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/6048-621-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads